jquery - Escape dangerous code when allowing user MySQL filter creation -

i can display of release years of films in database. user can pick year , see of films released in year. or can show of genres of movie. user can choose genre , see of movies match criteria. built form in user can dynamically choose own criteria. instance "release date" "is after" "2000" return filtered list.

i wrote unprotected jquery/django code pass filters database. through combination of drop down boxes , user input boxes (exactly see in itunes), using jquery construct filter.

as example, let's user selects in first drop down: "year". second drop down: "is". last input box user enters "2005." criteria put array:

dictionary:  [     {"includes": [["year__iexact", "2005"]],      "excludes": []},      "all"  ]  

"includes"/"excludes" separates criteria "is", "is before" things "is not"
"all" designates filter should "match all", not "match any"

this converted json:

[{"includes":[["year__iexact","2005"]],"excludes":[]},"all"]   

and posted django.

the view in django puts data filter:

incdict[ filter[0].encode('utf-8') ] = filter[1].encode('utf-8')  

this becomes:

incdict[ 'year__iexact' ] = 2005  

that fed query (as instructed here:

query_set = film.objects.filter(**incdict)  

ok, hope clear. ask how protect against unscrupulous user seeks bypass/exploit input. need escape special characters? data validation? best way protect system?

even if allow freeform data filter() , exclude(), there's no way craft dangerous query them; type of query determined methods called, not data passed.